本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
稽核帳戶中的 Amazon S3 儲存貯體政策
在 AWS Control Tower 中,只有當請求來自您的組織或組織單位 (OU) 時, AWS 服務才能存取您的資源。必須符合任何寫入權限的aws:SourceOrgID條件。
您可以使用aws:SourceOrgID條件金鑰,並在 Amazon S3 儲存貯體政策的條件元素中將值設定為組織 ID。這種情況可確保 CloudTrail 只能代表組織內的帳戶將日誌寫入 S3 儲存貯體;它可防止組織外部的 CloudTrail 日誌寫入 AWS Control Tower S3 儲存貯體。
此原則不會影響現有工作負載的功能。該策略顯示在以下範例中。
S3AuditBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3AuditBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowSSLRequestsOnly Effect: Deny Principal: '*' Action: s3:* Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}" - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/*" Condition: Bool: aws:SecureTransport: false - Sid: AWSBucketPermissionsCheck Effect: Allow Principal: Service: - cloudtrail.amazonaws.com - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}" - Sid: AWSConfigBucketExistenceCheck Effect: Allow Principal: Service: - cloudtrail.amazonaws.com - config.amazonaws.com Action: s3:ListBucket Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}" - Sid: AWSBucketDeliveryForConfig Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - Fn::Join: - "" - - !Sub "arn:${AWS::Partition}:s3:::" - !Ref "S3AuditBucket" - !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"Condition: StringEquals: aws:SourceOrgID: !Ref OrganizationId- Sid: AWSBucketDeliveryForOrganizationTrail Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: s3:PutObject Resource: !If [IsAccountLevelBucketPermissionRequiredForCloudTrail, [!Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${Namespace}/*", !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${OrganizationId}/*"], !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"]Condition: StringEquals: aws:SourceOrgID: !Ref OrganizationId
如需有關此條件金鑰的詳細資訊,請參閱 IAM 文件和標題為「針對存取資源的 AWS 服務使用可擴展控制項」的 IAM 部落格文章。
